Security (w7-8)

Question 1

3 Key goals of cryptography

Answer 1

Confidentiality, Data Integrety and Authentication

Question 2

Key points on symmetric encryption

Answer 2

Both parties have shared key, is fast compared to asymmetric encryption, key needs to be hidden somehow, as is a vulnerability

Question 3

Substitution Cipher - Ceaser Cipher?

Answer 3

Substitution is replaceing letters with another letter to genereate ciphertext. Ceaser Cipher is shift the alphabet by fixed number of lettters, easily reverssed, so not very safe

Question 4

Transposition Cipher - Rail Fence Cipher?

Answer 4

Transposition - re-arrange position of letters without altering their value. Rail-Fence key is kniwing the amount of rows.

Question 5

Product Cipher

Answer 5

combonation of different types of ciphers

Question 6

Unconditionally secure vs Computationally secure

Answer 6

Uncondition means ciphertext does not contain enough information to figure out the original text. Computational secure means cost to break the information exceeds the value of the information, or the time needed to break the information exceeds the useful lifetime of the informatiopn

Question 7

One Time Pad, what is it?

Answer 7

random key, as long as the message, xor the binaary as cipher

Question 8

What is frequency analysis?

Answer 8

if “a” always encodes to “f”, then it is easy to reverse. e ~13%, t~9%.

Question 9

if two parties have a shared secret, how can they authenticate each other, without showing the secret?

Answer 9

A sends B large number, B sends it back encrytped with the secret. A verifies. B sends A large number, A sends it back encypted with the secret. B verifies.

Question 10

why is a larger key more exponentially secure?

Answer 10

Larger key = more possible options = more time to brute force the key

Question 11

WHat is a hashkey and what is it used for

Answer 11

hash keys are codes that represent a file of data. changing a single letter in a file should change the hash key. use on file received, to verify no change has occurred on it.

Question 12

Is assymmetric encryption commonly used to encrypt application data?

Answer 12

No, usually symmetric encryption is used as it is faster

Question 13

How does a site with a certificate prove that the certificate has been given to him by a CA?

Answer 13

site sends hash of digital signature of CA encrypted with private key, user uses sites public key to decrypt. Only private key has power to crypt data in such a way that the public key is the only one which can decrypt the data.

Question 14

When is TLS generally implemented within a TCP connection

Answer 14

typically immediatly upon connection establishment

Question 15

In the client hello part of TLS handshake, what info is conveyed to the server

Answer 15

Highest TLS version supported, supported cipher functions, and random value

Question 16

How does Server respond to client hello?

Answer 16

server selects cipher and hash function, tls and a random value.
then sends client its sertificate, with public key, server name and who signed their certificate (CA).
Then sends ServerHelloDone

Question 17

After server sends serverhellodone, what does the client retrun? how does the server respond?

Answer 17

Sends info to allow server to use the same symmetric encryption key.
Tells server it is now using the symmetric key.
Tells server it is finished the handshake, contains data for server to verify encryption is correctly in place.
Server then says im using the encryption too, then sends a message saying the handshake is finished, with information for the client to verify encryption is correctly in place

Question 18

When client verifys the authenticity of the server, what does it check?

Answer 18

The certificate is signed by a trusted authority and certificate has not expired.
Hostname verification.

Question 19

what is the problem with libraries that dont do hostname verification, and only certificate verification

Answer 19

attackers can pass a cert with a valid cert path, that will then pass (because the hostname is not checked)

Question 20

What is passed to CA when asking for a cert?

Answer 20

A certificate signing request (CSR)

Question 21

when creating SSL sockets from socket factory, what parameters will be set by the socket factory?

Answer 21

TLS parameters,

• which TLS version to support
• which ciphers and hash to use
• which keys to use and which certs to trust

Question 22

When creating a serversocketfactory, before returning the factory instance, which key class instances are needed.

Answer 22

SSL context that speaks TLS,
Key manager which holds certs in X.509 format
JavaKeyStore instance

Question 23

before initializing the SSL context with the keys, what has to be done first?

Answer 23

KeyManagerFactory has to be initialized with a source of key material (keystore)

Question 24

where does a SSLServerSocket get an instance of a SSLServerSocket, and which protocol has to be establised before the serversocket can accept incoming sockets?

Answer 24

SSLServerSocket gets its instance from an instance of a SSLServerSocketFactory. The port has to be defined, and the TLS version has to be defined.

Question 25

How would you start a handshake from a clients point of view? 3 lines of code.

Answer 25

SSLSocketFactory factory =
 (SSLSocketFactory)SSLSocketFactory.getDefault();
 SSLSocket socket =
 (SSLSocket)factory.createSocket(, );
 socket.startHandshake();

Question 26

does java do hostname validation?

Answer 26

yes, but not by default

Question 27

before starting the handshake, which three lines of code set an HTTPS style of checking hostnames.

Answer 27

SSLParameters params = new SSLParameters();

params. setEndpointIdentificationAlgorithm(“HTTPS”);
socket. setSSLParameters(params);

Question 28

how would you get the X509 certificate for a session, and why would you need the common name from this cert?

Answer 28

before the setEndPointIdentificationAlgorithm was created, checking the Common Name in the cert was one check we could do to validate the hostname.

SSLSession sesh = socket.getSession();
X509Certificate cert = (X509Certificate)
sesh.getPeerCertificates()[0];